2769225a1e53c06e94b60d0938bb1032cd971cdd8c6eae5fadacde98b02d0088

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7be9d78b52968c322d3093b9c8371d00_JC.exe
Size

479KB
MD5

7be9d78b52968c322d3093b9c8371d00
SHA1

91e067e2f886fe67619a4de8c68211bd7c5f3960
SHA256

2769225a1e53c06e94b60d0938bb1032cd971cdd8c6eae5fadacde98b02d0088
SHA512

4482145255d9d6ddff8f1c88491b3adbfd87f3d816050d42fcd02540ffcbab1dd9bdd51ce02e8e870600a656af095678f878ca4a60bbe65b2dd25c376e8a0957
SSDEEP

12288:M/lc87eqqV5e+wBV6O+qHcbI2ltusl5r/yKhK:M/SqqHeVBxpcTu+/3K

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2216	Searcont.exe
2232	~62C8.tmp
2304	bitsraid.exe

Loads dropped DLL 3 IoCs

pid	Process
1564	NEAS.7be9d78b52968c322d3093b9c8371d00_JC.exe
1564	NEAS.7be9d78b52968c322d3093b9c8371d00_JC.exe
2216	Searcont.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\diskconv = "C:\\Users\\Admin\\AppData\\Roaming\\reloeown\\Searcont.exe"	NEAS.7be9d78b52968c322d3093b9c8371d00_JC.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bitsraid.exe	NEAS.7be9d78b52968c322d3093b9c8371d00_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2216	Searcont.exe
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1232	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	Searcont.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 2216	1564	NEAS.7be9d78b52968c322d3093b9c8371d00_JC.exe	3
PID 1564 wrote to memory of 2216	1564	NEAS.7be9d78b52968c322d3093b9c8371d00_JC.exe	3
PID 1564 wrote to memory of 2216	1564	NEAS.7be9d78b52968c322d3093b9c8371d00_JC.exe	3
PID 1564 wrote to memory of 2216	1564	NEAS.7be9d78b52968c322d3093b9c8371d00_JC.exe	3
PID 2216 wrote to memory of 2232	2216	Searcont.exe	2
PID 2216 wrote to memory of 2232	2216	Searcont.exe	2
PID 2216 wrote to memory of 2232	2216	Searcont.exe	2
PID 2216 wrote to memory of 2232	2216	Searcont.exe	2
PID 2232 wrote to memory of 1232	2232	~62C8.tmp	10

C:\Windows\SysWOW64\bitsraid.exe
C:\Windows\SysWOW64\bitsraid.exe -s
1⤵
- Executes dropped EXE
PID:2304

C:\Users\Admin\AppData\Local\Temp\~62C8.tmp
1232 490504 2216 1
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Roaming\reloeown\Searcont.exe
"C:\Users\Admin\AppData\Roaming\reloeown"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Local\Temp\NEAS.7be9d78b52968c322d3093b9c8371d00_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7be9d78b52968c322d3093b9c8371d00_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~62C8.tmp

Filesize
8KB

MD5
86dc243576cf5c7445451af37631eea9

SHA1
99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

SHA256
25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

SHA512
c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

Download Submit
C:\Users\Admin\AppData\Roaming\reloeown\Searcont.exe

Filesize
479KB

MD5
8363a1d1bf76ba3af23f443b82493903

SHA1
c8bf7265352b6a1d54818316d0e3a05f967c1492

SHA256
c61a3a394fdf79633a4b9b4094a90f8a7d29abe9c5eccb86fd4cffa5c8abca37

SHA512
d81bef86ea0875207eadda12b5edaddec95707dc0f3cd16126948fc15a2eed55f8f29dd8be0d7fcd2070f662a361947852a2d830e117302ce3152068f5ed2920

Download Submit
C:\Users\Admin\AppData\Roaming\reloeown\Searcont.exe

Filesize
479KB

MD5
8363a1d1bf76ba3af23f443b82493903

SHA1
c8bf7265352b6a1d54818316d0e3a05f967c1492

SHA256
c61a3a394fdf79633a4b9b4094a90f8a7d29abe9c5eccb86fd4cffa5c8abca37

SHA512
d81bef86ea0875207eadda12b5edaddec95707dc0f3cd16126948fc15a2eed55f8f29dd8be0d7fcd2070f662a361947852a2d830e117302ce3152068f5ed2920

Download Submit
C:\Users\Admin\AppData\Roaming\reloeown\Searcont.exe

Filesize
479KB

MD5
8363a1d1bf76ba3af23f443b82493903

SHA1
c8bf7265352b6a1d54818316d0e3a05f967c1492

SHA256
c61a3a394fdf79633a4b9b4094a90f8a7d29abe9c5eccb86fd4cffa5c8abca37

SHA512
d81bef86ea0875207eadda12b5edaddec95707dc0f3cd16126948fc15a2eed55f8f29dd8be0d7fcd2070f662a361947852a2d830e117302ce3152068f5ed2920

Download Submit
C:\Windows\SysWOW64\bitsraid.exe

Filesize
479KB

MD5
8363a1d1bf76ba3af23f443b82493903

SHA1
c8bf7265352b6a1d54818316d0e3a05f967c1492

SHA256
c61a3a394fdf79633a4b9b4094a90f8a7d29abe9c5eccb86fd4cffa5c8abca37

SHA512
d81bef86ea0875207eadda12b5edaddec95707dc0f3cd16126948fc15a2eed55f8f29dd8be0d7fcd2070f662a361947852a2d830e117302ce3152068f5ed2920

Download Submit
C:\Windows\SysWOW64\bitsraid.exe

Filesize
479KB

MD5
8363a1d1bf76ba3af23f443b82493903

SHA1
c8bf7265352b6a1d54818316d0e3a05f967c1492

SHA256
c61a3a394fdf79633a4b9b4094a90f8a7d29abe9c5eccb86fd4cffa5c8abca37

SHA512
d81bef86ea0875207eadda12b5edaddec95707dc0f3cd16126948fc15a2eed55f8f29dd8be0d7fcd2070f662a361947852a2d830e117302ce3152068f5ed2920

Download Submit
\Users\Admin\AppData\Local\Temp\~62C8.tmp

Filesize
8KB

MD5
86dc243576cf5c7445451af37631eea9

SHA1
99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

SHA256
25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

SHA512
c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

Download Submit
\Users\Admin\AppData\Roaming\reloeown\Searcont.exe

Filesize
479KB

MD5
8363a1d1bf76ba3af23f443b82493903

SHA1
c8bf7265352b6a1d54818316d0e3a05f967c1492

SHA256
c61a3a394fdf79633a4b9b4094a90f8a7d29abe9c5eccb86fd4cffa5c8abca37

SHA512
d81bef86ea0875207eadda12b5edaddec95707dc0f3cd16126948fc15a2eed55f8f29dd8be0d7fcd2070f662a361947852a2d830e117302ce3152068f5ed2920

Download Submit
\Users\Admin\AppData\Roaming\reloeown\Searcont.exe

Filesize
479KB

MD5
8363a1d1bf76ba3af23f443b82493903

SHA1
c8bf7265352b6a1d54818316d0e3a05f967c1492

SHA256
c61a3a394fdf79633a4b9b4094a90f8a7d29abe9c5eccb86fd4cffa5c8abca37

SHA512
d81bef86ea0875207eadda12b5edaddec95707dc0f3cd16126948fc15a2eed55f8f29dd8be0d7fcd2070f662a361947852a2d830e117302ce3152068f5ed2920

Download Submit
memory/1232-18-0x0000000003DF0000-0x0000000003E77000-memory.dmp

Filesize
540KB

Download
memory/1232-28-0x0000000001CE0000-0x0000000001CE6000-memory.dmp

Filesize
24KB

Download
memory/1232-19-0x0000000003DF0000-0x0000000003E77000-memory.dmp

Filesize
540KB

Download
memory/1232-33-0x0000000002DD0000-0x0000000002DDD000-memory.dmp

Filesize
52KB

Download
memory/1232-22-0x0000000003DF0000-0x0000000003E77000-memory.dmp

Filesize
540KB

Download
memory/1564-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1564-14-0x0000000001E20000-0x0000000001EA2000-memory.dmp

Filesize
520KB

Download
memory/1564-1-0x0000000000220000-0x00000000002A0000-memory.dmp

Filesize
512KB

Download
memory/1564-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1564-10-0x0000000001E20000-0x0000000001EA2000-memory.dmp

Filesize
520KB

Download
memory/2216-21-0x00000000002D0000-0x00000000002D5000-memory.dmp

Filesize
20KB

Download
memory/2216-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2216-20-0x0000000000220000-0x00000000002A0000-memory.dmp

Filesize
512KB

Download
memory/2304-26-0x00000000002D0000-0x00000000002D5000-memory.dmp

Filesize
20KB

Download
memory/2304-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2304-36-0x00000000002D0000-0x00000000002D5000-memory.dmp

Filesize
20KB

Download